Password Length Limits

April 7, 2010

I recently signed up to make my car payments online, which by itself is a wonderful thing. When I need to make a payment I simply double check that the money is in my bank account and then I’m a few clicks away from just making the payment. I really don’t enjoy using the postal system mostly because it takes time out of my day to write out the check, fill out the sending information on the envelope and then find a post office box or post office. The other great thing about online bill paying is that I get a lot less physical mail (something I strongly dislike unless it is a letter from a friend or something of that nature). This particular bill paying system (Ford Credit) has a notable limitation on the MAXIMUM length of a password, only 10 characters!

This upsets me for several reasons. The first reason is that all of my passwords are longer than 10 characters (some as long as 25). So, I have to truncate what would be an otherwise secure password in order to use my current password system. Either that, or Ford Credit needs to have its own password which makes it much less likely that I will remember it (though, I have to remember the limitation of it being a 10 character password already). It seems like the 10 character upper limit is fairly arbitrary. I understand that they might need an upper limit it terms of database storage or something, but I assume they run the password through a hashing algorithm in which case the length of the actual password should not be an issue. It is a simple mathematical fact that longer passwords are more secure (exponential growth, after all). So why limit the upper bound.

The other thing that crosses my mind is that their password maximum length squashes the idea of a “passphrase“. I understand that there is a fundamental difference between passwords and passphrases, but I tend to like the idea of a passphrase simply because I find them easier to remember. Yes, I know it’s more typing, but if I have to look up passwords in kwallet I’m already better off time-wise using a passphrase.

To be clear, this isn’t a knock on the actual service offered by Ford Credit. I find that quite easy to use. It is just that the password policy seems rather strange to me.

“The Computer System Says So!”

March 31, 2010

I suppose this post is mostly a rant/reflection of my recent experience at the New Jersey DMV, but I also have some general thoughts about the excuse store employees, support organizations, insurance companies, etc use to get information out of you. What I am talking about is that classic line: “I’m sorry sir, but our computer’s require it”. Oh, well, if that is the case I’ll gladly give you all my personal information! As long as the computer needs it!

This week I set off to try and register the motorcycle I ride under my name. I have been riding it for 2 years, but under my Dad’s registration and insurance. My Dad generously offered to let me have the bike as long as I was willing to pay for everything, which is certainly a more than fair deal. To set this up, you have to understand that I have the following documents: my dad’s registration, my dad’s insurance info, the insurance I put on the bike (because my dad is stopping that now), as well as the current and valid NJ Title for the bike. I figured this was more than enough information to transfer the title and register the bike under my name.

So, a couple days ago I left work on my lunch break to visit the DMV (only 5 minutes from where I work). I give them all the information about the bike, but the VIN number is not 17 characters! *GASP*. Now, you have to understand here, the bike is a 1981 Yamaha XJ650 (pictured below). I am not sure that there were such rigorous requirements in 1981 about VIN numbers on bikes and it definitely does not have a 17 character VIN, assuming it was even called a VIN in 1981. I was told that I would have to provide a _pencil tracing_ of the VIN number in question before I could register the bike. All this despite the fact that I had 4 other, quite legal, documents that had the VIN number on it. The reason I was given: “Well, we switched computer systems and the new system requires the pencil tracing, but going forward you won’t need it”.

Do you think that is a valid reason? I sure don’t. When they transfered the data they couldn’t select, that because this bike was already registered, that this was not needed? Are you kidding? Look, I deal with computers all day, and I’m pretty sure there would have been a way to work around this. In fact, the system must already have an override to indicate that I had a pencil tracing. By the way, they would not accept a digital photograph, only a pencil tracing (humorous given that the pencil tracing is much harder to read).

All that being said, the thing which really upsets me about this is: the computer system was used as the excuse for why I needed the pencil tracing, when, I’m pretty sure that was not the actual problem. I didn’t like it, but I was willing to play along and get the tracing. However, I would have at least liked an honest explanation of why I needed it.

I think this is a more wide spread problem, though. For example, when I called a local insurance agency about the bike they too complained about the VIN number and gave the same reason. I politely let them know that I was no longer interested in getting insurance with them.

As a side note here, I would like to say something about dealing with people that tell you this sort of thing. I really tried my best to politely inquire of these people. Most of them are probably not the person who made the actual decision in question, and it is not their fault that the system was designed poorly, or in some cases that they were not properly informed about procedure. I worked in retail for 3 years and I know very well what it is like to have a customer come up and be in your face for 5 minutes about something you have NO control over. So do everyone a favor — be polite. I think it is fine to ask why, but if it is clear the person does not know (or has no way of knowing), let it go! Often times you can always take your business elsewhere, without being rude about it. In fact, I will go so far as to say that there is no reason to be rude to these people. Raising your voice or not listening to them will just make them want to help you less.

Anyway, the solution? Well, it’s simple, just be honest 🙂 .  Tell people the real reason you can’t do something! Knowing why something can’t be done helps me to bring us to the solution faster. Computers only do what they are told, so some human made a decision at some point that lead the computer to prompt the user that certain information must be entered. You can tell me the computer “won’t let you go further”, but so what. That is all predefined in the code, that doesn’t help me any.

Using a Scanner to Reduce Paper Clutter

March 17, 2010

Ok, this might not be the most exciting subject, but I normally find it easiest to blog about things that are going on in my life. Two weeks ago I completed my 2009 tax return online using H&R Block. To be perfectly honest I had very mixed feelings about doing my taxes completely online, but that is the subject of another blog post. Anyway, ever since I got out into “the real world” I have found myself with an ever increasing amount of paper work and documents that I either “need for tax purposes” or “need to keep for my records”. I absolutely despise clutter because I feel as though it slows me down. I dislike trying to find some cryptic piece of paper in a pile of junk. This large increase in paper work led me to purchase a scanner to store my documents electronically.

The idea is quite simple (and hardly original). You get a document, you scan it in, and you save as a pdf. Then, once it’s on your computer, you can setup whatever directory structure makes sense (I store by year and organization). Further, if you use consistent file naming you might be able to search your files for a document that you need. If you have been reading this blog for any length of time it should not be a surprise to learn that I am a Linux user. Presently I run Kubuntu 9.10 so it was important to me that my scanner work in Linux and that I be able to make said PDF files in Linux. The other consideration is that I wanted a cheap scanner since I am scanning mostly black and while documents. I do most of my shopping on Newegg and using the wonderful comments I was able to locate a Linux compatible scanner (more on the setup of that in a future post, but it was not trivial).

In any case once I had the scanner working, I could scan my documents into GIMP. Once they were in GIMP I saved them as PNG files and used everyone’s favorite “convert” to make them PDF files.

convert sample-png.png sample-pdf.pdf

If the documents were more than one page I used pdftk to make one giant document.

pdftk *.pdf cat output final-document.pdf

The trick to getting the *.pdf to concatenate in the correct document order means prefixing the documents with numbers such as: 00-ImportantTaxThing.pdf, 01-ImportantTaxThing.pdf, 02-ImportantTaxThing.pdf, etc.

The method can be a bit round about, but I’m sure a bit of bash magic could speed things up a little. Perhaps if I’m feeling motivated I’ll write a little python graphical front end to all this.

In any case, I have found this to be quite nice and it’s really easy to find these documents on the rare occasions I need them. Now, I should mention there is one flaw in my plan which my dad brought up. I don’t know what the laws are for needing physical copies of documents if you were, for example, audited by the IRS. So, for any extra special documents I just store them away in a folder that is unsorted on the off chance I might need them. Still, this allows me to keep a very clean desk, and still have access to all my documents.

Doing my Taxes Online

March 13, 2010

This year I decided to do my taxes entirely online. I used H&R Block‘s internet service for doing taxes and overall it worked very well. I don’t know how complex of a tax operation their service can complete, but my taxes are still fairly simple as I don’t have many deductions and own very little. More frequent readers of my blog might be surprised to learn that I used such a service. After all, they have to store lots of personal information about me in order to complete the tax return!

It is true that I had to put a lot of personal information into this service, and I was quite nervous about that. Sure, they use SSL, but so what. If there’s one thing reading security news has taught me it is that a dedicated enough hacker can essentially get any information they desire. The sad reality I came to terms with is that as long as I am submitting electronically, I will already have to send important data over the internet.

Additionally, how handy the service is partially convinced me to take such a risk. It is true that they sell software which can be installed on my local computer and in theory, if I mailed in my return, I could keep all of my data roughly within my possession. In fact, I am still considering doing it that way, but I am not sure if that is really that much more secure. However, the ability to just a open a web browser and pick up where I left off is not something to leave out of this equation.

At any rate, the damage is already done, so to speak, and overall I was happy with the process. I still feel a bit uncertain as to whether this will come back to bite me or not, but I suppose we’ll see. At the heart of the matter is the fact that organizations use one’s social security number in exactly the wrong way (credit card companies, banks, etc). It’s true that’s it’s a great unique identifier for a database, but there are other and better ways to do things.

Paypal Password Problems

March 10, 2010

So, last week I was going to purchase a shiny new scanner from so that I might reduce the paper clutter that resides at my computer desk at home (more on that later). When I hit the “Finish” button to complete the transaction all seemed well and good until I got an e-mail from them saying that my credit card could not be charged. Long story short somehow someone had my credit card number and ran it into the ground buying — wait for it — Facebook games (funny, I know). Anyway, I got my new card, and I also thought that this was a good time to change all my passwords.

Most of my password changing went without a hitch. However, Paypal had an interesting process. To change my password I had to provide the number of the credit card I had linked to my account. Well, one problem here, I had cut up and discarded my old credit card because it was no longer active. Not one to let that stop me, I took the next reasonable action, I unlinked the credit card from my account. Honestly, I was happy to do that anyway because I hate linking credit cards to online account. Paypal tried to make it hard for me to not have a credit card linked, but I was able to click past everything.

This is the best part, though. When I went to change my password I was allowed to do it without providing any additional security information. Frankly, I think using a credit card number as a security measure is a terrible idea to begin with so I don’t care that once I log into my account, that password changing is easy. What I think is funny here is that they put in place a security measure that is trivial to circumvent. In other words, not a real security measure.

On the matter of storing credit cards in a database, I think that is also a big problem. If you don’t store the credit card — guess what — even if someone breaks in, it can’t be stolen! I think these companies should use more discretion when storing credit card numbers. I agree that sometimes numbers have to be stored for things like online monthly subscriptions, but short of that, why bother! I think online retailers shouldn’t even offer it as an option and make the customers aware that it is actually for their benefit. At the very least, don’t default to storing the card, make the user actively seek after that.

Anyway, that is my little tale about password changing, which is a practice I encourage everyone to do at least yearly. Also, I encourage different levels of password security. For instance I have one password I use for online retailer accounts (which I avoid creating if I can), one for e-mail, one for the blog, one for work, one for root access, etc. This way, if there is a breach, I don’t have to change all my passwords and just the ones within the security level that was broken.

I’m Leaving the Hosting up to WordPress

March 4, 2010

I recently put a post on the front page of my website stating that I have switched back to just having this blog on WordPress. The decision to do this was essentially dictated by hearing about a WordPress security vulnerability on the Security Now podcast of the TWiT network.

Now, certainly I am not so foolish as to think the WordPress platform can never have a vulnerability, but the problem is that I don’t always have time to sit down and make sure it is updated. My website is meant to be a window into my digital life that I can update from time to time, not something I have to spend hours a week maintaining.

That being said, I have made all the essential redirects and hopefully I haven’t broken too many RSS feed readers or bookmarks to my blog.

Originally, I setup my own WordPress blog thinking I would be all hip and have custom themes and be adding loads of cool plugins. The reality is, though, I didn’t need any of that and I didn’t have time to keep up with it. I’ll be able to get more done and write more if I just focus on the content of blog. It would have also been nice to bring traffic to my site, but that is also a moot point now and I’ll just provide a link to for anyone interested.

Anyway, I don’t want this to sound like a slam on the WordPress platform. I really like WordPress and it has made blogging quite simple. Great job, guys!

Hopefully I’ll be writing more soonish … 🙂

Web Based TODO List: TaskFreak!

May 11, 2009

For the past year or so I have been keeping a digital copy of the list of things I need to get done (aka my todo list). Originally, this was simply a text file that I stored on the computer science lab computers at my college. This was handy because I could always access the computers via ssh and retrieve my todo list. Eventually, that became too annoying to manage and I installed the program gtodo on all my computers. I use sshfs on all my machines so that I could store the todo list on those same computer science machines. This was a great system, but now I must graduate from college, which also means that I have to leave my account as well. Since I recently purchased a domain and web hosting I figured a web based solution would be perfect for my needs. That’s how I discovered TaskFreak!

TaskFreak! has exactly the features I need and one or two extras. Those features are: it lets me enter a new item, associate it with a category, give it a priority, give an optional deadline, and indicate when it is finished. On top of all that TaskFreak! lets you give a description of the task, which can be displayed when clicking on a given task. TaskFreak! lets you sort your tasks however you choose simply by clicking the first cell in each column of the table. Setting it up was fairly straightforward as all I had to do was create a new MySQL database on my web server and tell TaskFreak! how to contact that database.

At the end of the day TaskFreak! is exactly what I need it to be and not much more. I wanted a simple, web based way to access my todo list. TaskFreak! delivers perfectly. I should also note that there are multi-user versions of TaskFreak! if that is the kind of solution one desires. Finally, I leave with a screen shot of the UI (as rendered by FireFox 3):

Screenshot of the UI

Screenshot of the UI (Click to see full size)